IPSEC tunnel fails with "pfkey UPDATE failed: Invalid argument"

From: George (subscriptions_at_navig.ca)
Date: 09/29/05

Next message: Uncle Chuck: "Re: Many wireless card doesn't support Linux?"
Previous message: Floyd L. Davidson: "Re: Why IP address is fixed everytime connected to the Internet?"
Next in thread: George: "Re: IPSEC tunnel fails with "pfkey UPDATE failed: Invalid argument""
Reply: George: "Re: IPSEC tunnel fails with "pfkey UPDATE failed: Invalid argument""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Wed, 28 Sep 2005 22:46:59 -0400

Hi,

May someone please tell me why the IPSEC tunnel I try to make fails as
follows:

racoon -F -f /etc/racoon/racoon.cfg
Foreground mode.
2005-09-28 22:34:39: INFO: @(#)ipsec-tools 0.6.beta1
(http://ipsec-tools.sourceforge.net)
2005-09-28 22:34:39: INFO: @(#)This product linked OpenSSL 0.9.7d 17 Mar
2004 (http://www.openssl.org/)
2005-09-28 22:34:40: INFO: 69.70.21.106[500] used as isakmp port (fd=5)
2005-09-28 22:34:40: INFO: 69.70.21.106[500] used for NAT-T
2005-09-28 22:34:40: INFO: IPsec-SA request for 64.235.194.78 queued due to
no phase1 found.
2005-09-28 22:34:40: INFO: initiate new phase 1 negotiation: 69.70.21.10
[500]<=>64.235.194.78[500]
2005-09-28 22:34:40: INFO: begin Identity Protection mode.
2005-09-28 22:34:45: INFO: ISAKMP-SA established 69.70.21.10
[500]-64.235.194.78[500] spi:e095758065e98bfa:1b2c7ac9b51a6ffe
2005-09-28 22:34:46: INFO: initiate new phase 2 negotiation: 69.70.21.10
[0]<=>64.235.194.78[0]
2005-09-28 22:34:47: ERROR: pfkey UPDATE failed: Invalid argument
2005-09-28 22:34:47: ERROR: pfkey ADD failed: Invalid argument
2005-09-28 22:35:16: ERROR: 64.235.194.78 give up to get IPsec-SA due to
time up to wait.
2005-09-28 22:35:16: INFO: IPsec-SA expired: ESP/Tunnel
64.235.194.78->69.70.21.106 spi=230932054(0xdc3be56)

What that means and how should I correct the problem? All necessary options
for IPSEC are in the kernel (2.6.13) that I use. I also run NAT firewall on
that box, but it should not affect things. What means pfkey UPDATE failed?

Any help appreciated,
George.

Next message: Uncle Chuck: "Re: Many wireless card doesn't support Linux?"
Previous message: Floyd L. Davidson: "Re: Why IP address is fixed everytime connected to the Internet?"
Next in thread: George: "Re: IPSEC tunnel fails with "pfkey UPDATE failed: Invalid argument""
Reply: George: "Re: IPSEC tunnel fails with "pfkey UPDATE failed: Invalid argument""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages

Re: Attacks on IPsec
... > group disown what is only now starting to be deployed. ... (which in turn implies replacing everybody's kernel). ... advantage over end-to-end ipsec ... ... communicating for the first time with a complete stranger (aka the ...
(sci.crypt)
Re: Crash in ether_input
... stack fault while in kernel mode ... | (kgdb) source debug/gdb6 ... we're logging via TLS to a temporary/testing logserver. ... logserver is one of our default builds with IPSec. ...
(freebsd-net)
Re: Crash in ether_input
... stack fault while in kernel mode ... | (kgdb) source debug/gdb6 ... we're logging via TLS to a temporary/testing logserver. ... logserver is one of our default builds with IPSec. ...
(freebsd-net)
Debugging with memguard...
... I'm trying to track down a memory issue with IPsec in CURRENT. ... PS Kernel Config attached but it's not very interesting I think. ... # Power management support ...
(freebsd-current)
NAT + IPsec in 2.6.0-test2
... 2.6.0-test2-mm1 kernel on my home Internet gateway system. ... Basically the IPsec tunnel had only a single IP address on the remote ...
(Linux-Kernel)